Off the Microsoft stack!

Tag Archives: permissions

Have you ever had this happen to you? You installed TFS with SharePoint for a colleague. You make sure TFS is running, make sure SharePoint is up. You add your colleague to the local administrators group. You add her to the TFS admin tool. You write her an email telling her where to find her fresh installation of TFS and you’re just about to pat yourself on the back, when you get a message from her saying she can’t run PCW. She’s getting an error message that looks like this one:

If you’re anything like me, you sigh mightily.

Why can’t she (user2) run PCW? What is this about!? I already added her to the Farm Admin group (see below), but that didn’t help with this error.

It’s a permission issue, but it’s not Farm Admin permissions that’s needed. The solution is to add the user in question to the SharePoint site at the collection level. So, for example, navigate here on the SharePoint site (not the SharePoint administration site, but the site where the portal for the team project is created):

http://sharepoint:80/sites/defaultcollection/default.aspx

Here is what I did:

1) Someone who already has permissions has to go to /sites/defaultcollection/default.aspx and share the site with the new user.

2) Once you add the user, go to site permissions (click the wheel) and then give the user “full control.”

If you click the name, it lights up Edit User Permissions and you can click Full control on the next screen.

Like this:

Recently a customer wrote to make sure that the TFS Service accounts they were using were permissioned with the bare minimum of privileges required to run TFS. This is smart. When dealing with permissions and service accounts, less is always best.

You never want to give your service account more permissions than required to run the application on which its setup. Why? Prudence. If someone manages to compromise your service account—or any account you manage, for that matter—your data and assets are at less risk, if the compromised account only has access to exactly the permissions it needs.

For the service accounts of the various components that come on the TFS 2010 DVD, that mostly means giving the service account the Log on as a Service permission. For the service account for the TFS application tier, you have to do a little more—it needs to appear in the Content Manger role on the Report Server (if you are using a report server) and the Farm Administrators group on SharePoint (if you’re using SharePoint).

All this information is documented in this topic, in the TFS installation guide.

Remember: You don’t want to give your service accounts too little permission, or the application won’t function correctly. But you don’t want to give your service accounts too much permission, because it’s risky. Instead you want to give your service accounts the exact amount of permissions they require.

You may not realize it, but if you’re a member of sysadmin on SQL Server, there is precious little you cannot do on the SQL Server. You are, essentially, a god. How did you get these permissions? If you’re using SQL Server Express, TFS setup gave them to you during installation. If you installed SQL Server manually, you most likely added yourself to this role as you were clicking through the installation wizard. Of course, the SQL Server installation wizard doesn’t tell you any of this. It asks something completely innocuous like “Add Current User?” But once you click that Add button, you have real power—at least on that SQL Server.

This is why many easy going DBAs balk at the mere thought of hosting a TFS database.I recently read an email where one DBA joked that he had to get out the vinegar and wire brush to clean up his SQL server after a TFS install. DBAs are sensitive like that.

Why does TFS need so much permissions? Good question. You can go here for an explanation. The bottom line, though, is that the person installing TFS needs to be a member of the sysadmin fixed server role on the SQL Server. If you installed SQL Server yourself, you most likely have these permissions. If you have to ask a DBA in your organization for them, be prepared to convince that DBA that TFS means the SQL Server no harm.